Contents -- Preface -- CHAPTER 1 Introduction -- CHAPTER 2 Security Concepts, Services, and Threats -- 2.1 Definitions -- 2.2 Threats and Vulnerabilities -- 2.2.1 Threat Types -- 2.2.2 Vulnerabilities -- 2.2.3 Attacks and Misuse -- 2.2.4 Impacts and Consequences of Security Breaches -- 2.3 Security Services and Safeguards -- 2.3.1 Identifying Assets and Risks -- 2.3.2 Security Objectives -- 2.3.3 Perspectives on Protection -- 2.4 Conclusions -- References -- CHAPTER 3 Business-Integrated Information Security Management -- 3.1 Business-Integrated Information Security Management -- 3.2 Applying The PDCA Model to Manage Information Security -- 3.3 Information Security Management Through Business Process Management -- 3.4 Factors Affecting the Use of Systematic Managerial Tools in Business-Integrated Information Security Management -- 3.5 Information Security Management Standardization and International Business Management -- 3.6 Business Continuity Management -- 3.7 Conclusions -- References -- CHAPTER 4 User Authentication Technologies -- 4.1 Authentication Based On Secret Knowledge -- 4.1.1 Principles of Secret Knowledge Approaches -- 4.1.2 Passwords -- 4.1.3 Alternative Secret-Knowledge Approaches -- 4.1.4 Attacks Against Secret-Knowledge Approaches -- 4.2 Authentication Based On Tokens -- 4.2.1 Principles of Token-Based Approaches -- 4.2.2 Token Technologies -- 4.2.3 Two-Factor Authentication -- 4.2.4 Attacks Against Tokens -- 4.3 Authentication Based On Biometrics -- 4.3.1 Principles of Biometric Technology -- 4.3.2 Biometric Technologies -- 4.3.3 Attacks Against Biometrics -- 4.4 Operational Considerations -- 4.5 Conclusions -- References -- CHAPTER 5 Authorization and Access Control -- 5.1 Discretionary Access Control (DAC) -- 5.1.1 Implementation Alternatives -- 5.1.2 Discussion of DAC -- 5.2 Mandatory Access Control.

5.2.1 Need-to-Know Model -- 5.2.2 Military Security Model -- 5.2.3 Discussion of MAC -- 5.3 Other Classic Approaches -- 5.3.1 Personal Knowledge Approach -- 5.3.2 Clark and Wilson Model -- 5.3.3 Chinese Wall Policy -- 5.4 Role-Based Access Control -- 5.4.1 Core RBAC -- 5.4.2 Hierarchical RBAC -- 5.4.3 Constraint RBAC -- 5.4.4 Discussion of RBAC -- 5.5 Attribute-Based Access Control -- 5.5.1 ABAC-A Unified Model for Attribute-Based Access Control -- 5.5.2 Designing ABAC Policies with UML -- 5.5.3 Representing Classic Access Control Models -- 5.5.4 Extensible Access Control Markup Language -- 5.5.5 Discussion of ABAC -- 5.6 Conclusions -- References -- CHAPTER 6 Data-Centric Applications -- 6.1 Security in Relational Databases -- 6.1.1 View-Based Protection -- 6.1.2 SQL Grant/Revoke -- 6.1.3 Structural Limitations -- 6.2 Multilevel Secure Databases -- 6.2.1 Polyinstantiation and Side Effects -- 6.2.2 Structural Limitations -- 6.3 Role-Based Access Control in Database Federations -- 6.3.1 Taxonomy of Design Choices -- 6.3.2 Alternatives Chosen in IRO-DB -- 6.4 Conclusions -- References -- CHAPTER 7 Modern Cryptology -- 7.1 Introduction -- 7.2 Encryption for Secrecy Protection -- 7.2.1 Symmetric Encryption -- 7.2.2 Public Key Encryption -- 7.3 Hashing and Signatures for Authentication -- 7.3.1. Symmetric Authentication -- 7.3.2 Digital Signatures -- 7.4 Analysis and Design of Cryptographic Algorithms -- 7.4.1 Different Approaches in Cryptography -- 7.4.2 Life Cycle of a Cryptographic Algorithm -- 7.4.3 Insecure Versus Secure Algorithms -- 7.5 Conclusions -- References -- CHAPTER 8 Network Security -- 8.1 Network Security Architectures -- 8.1.1 ISO/OSI Network Security Architecture -- 8.1.2 ISO/OSI Network Security Services -- 8.1.3 Internet Security Architecture -- 8.2 Security at the Network Layer -- 8.2.1 Layer 2 Forwarding Protocol (L2F).

8.2.2 Point-to-Point Tunneling Protocol (PPTP) -- 8.2.3 Layer 2 Tunneling Protocol (L2TP) -- 8.3 Security at the Internet Layer -- 8.3.1 IP Security Protocol (IPSP) -- 8.3.2 Internet Key Exchange Protocol -- 8.4 Security at the Transport Layer -- 8.4.1 Secure Shell -- 8.4.2 The Secure Sockets Layer Protocol -- 8.4.3 Transport Layer Security Protocol -- 8.5 Security at the Application Layer -- 8.5.1 Secure Email -- 8.5.2 Web Transactions -- 8.5.3 Domain Name System -- 8.5.4 Network Management -- 8.5.5 Distributed Authentication and Key Distribution Systems -- 8.5.6 Firewalls -- 8.6 Security in Wireless Networks -- 8.7 Network Vulnerabilities -- 8.8 Remote Attacks -- 8.8.1 Types of Attacks -- 8.8.2 Severity of Attacks -- 8.8.3 Typical Attack Scenario -- 8.8.4 Typical Attack Examples -- 8.9 Anti-Intrusion Approaches -- 8.9.1 Intrusion Detection and Prevention Systems -- 8.10 Conclusions -- References -- CHAPTER 9 Standard Public Key and Privilege Management Infrastructures -- 9.1 Key Management and Authentication -- 9.2 Public Key Infrastructures -- 9.2.1 PKI Services -- 9.2.2 Types of PKI Entities and Their Functionalities -- 9.3 Privilege Management Infrastructures -- 9.4 Conclusions -- References -- CHAPTER 10 Smart Cards and Tokens -- 10.1 New Applications, New Threats -- 10.1.1 Typical Smart Card Application Domains -- 10.1.2 The World of Tokens -- 10.1.3 New Threats for Security and Privacy -- 10.2 Smart Cards -- 10.2.1 Architecture -- 10.2.2 Smart Card Operating System -- 10.2.3 Communication Protocols -- 10.3 Side-Channel Analysis -- 10.3.1 Power-Analysis Attacks -- 10.3.2 Countermeasures Against DPA -- 10.4 Toward the Internet of Things -- 10.4.1 Advanced Contactless Technology -- 10.4.2 Cloning and Authentication -- 10.4.3 Privacy and Espionage -- 10.5 Conclusions -- References -- CHAPTER 11 Privacy and Privacy-Enhancing Technologies.

11.1 The Concept of Privacy -- 11.2 Privacy Challenges of Emerging Technologies -- 11.2.1 Location-Based Services -- 11.2.2 Radio Frequency Identification -- 11.3 Legal Privacy Protection -- 11.3.1 EU Data Protection Directive 95/46/EC -- 11.3.2 EU E-Communications Directive 2002/58/EC -- 11.3.3 Data Retention Directive 2006/24/EC -- 11.3.4 Privacy Legislation in the United States -- 11.4 Classification of PETs -- 11.4.1 Class 1: PETs for Minimizing or Avoiding Personal Data -- 11.4.2 Class 2: PETs for the Safeguarding of Lawful Data Processing -- 11.4.3 Class 3: PETs Providing a Combination of Classes 1 & 2 -- 11.5 Privacy Enhancing Technologies for Anonymous Communication -- 11.5.1 Broadcast Networks and Implicit Addresses -- 11.5.2 DC-Networks -- 11.5.3 Mix Nets -- 11.5.4 Private Information Retrieval -- 11.5.5 New Protocols Against Local Attacker Model: Onion Routing, Web Mixes, and P2P Mechanisms -- 11.6 Spyware and Spyware Countermeasures -- 11.7 Conclusions -- References -- CHAPTER 12 Content Filtering Technologies and the Law -- 12.1 Filtering: A Technical Solution as a Legal Solution or Imperative? -- 12.1.1 Filtering Categories -- 12.1.2 A Legal Issue -- 12.2 Content Filtering Technologies -- 12.2.1 Blocking at the Content Distribution Mechanism -- 12.2.2 Blocking at the End-User Side -- 12.2.3 Recent Research Trends: The Multistrategy Web Filtering Approach -- 12.3 Content-Filtering Tools -- 12.4 Under- and Overblocking: Is Filtering Effective? -- 12.5 Filtering: Protection and/or Censorship? -- 12.5.1 The U.S. Approach -- 12.5.2 The European Approach -- 12.5.3 Filtering As Privatization of Censorship? -- 12.5.4 ISPs' Role and Liability -- 12.6 Filtering As Cross-National Issue -- 12.6.1 Differing Constitutional Values: The Case of Yahoo! -- 12.6.2 Territoriality, Sovereignty, and Jurisdiction in the Internet Era -- 12.7 Conclusions.

References -- CHAPTER 13 Model for Cybercrime Investigations -- 13.1 Definitions -- 13.2 Comprehensive Model of Cybercrime Investigation -- 13.2.1 Existing Models -- 13.2.2 The Extended Model -- 13.2.3 Comparison with Existing Models -- 13.2.4 Advantages and Disadvantages of the Model -- 13.2.5 Application of the Model -- 13.3 Protecting the Evidence -- 13.3.1 Password Protected -- 13.3.2 Encryption -- 13.3.3 User Authentication -- 13.3.4 Access Control -- 13.3.5 Integrity Check -- 13.4 Conclusions -- References -- CHAPTER 14 Systemic-Holistic Approach to ICT Security -- 14.1 Aims and Objectives -- 14.2 Theoretical Background to the Systemic-Holistic Model -- 14.3 The Systemic-Holistic Model and Approach -- 14.4 Security and Control Versus Risk-Cybernetics -- 14.5 Example of System Theories As Control Methods -- 14.5.1 Soft System Methodology -- 14.5.2 General Living Systems Theory -- 14.5.3 Beer's Viable Systems Model -- 14.6 Can Theory and Practice Unite? -- 14.7 Conclusions -- References -- CHAPTER 15 Electronic Voting Systems -- 15.1 Requirements for an Internet-Based E-Voting System -- 15.1.1 Functional Requirements -- 15.2 Cryptography and E-Voting Protocols -- 15.2.1 Cryptographic Models for Remote E-Voting -- 15.2.2 Cryptographic Protocols for Polling-Place E-Voting -- 15.3 Conclusions -- References -- CHAPTER 16 On Mobile Wiki Systems Security -- 16.1 Blending Wiki and Mobile Technology -- 16.2 Background Information -- 16.3 The Proposed Solution -- 16.3.1 General Issues -- 16.3.2 Architecture -- 16.3.3 Authentication and Key Agreement Protocol Description -- 16.3.4 Confidentiality & Integrity of Communication -- 16.4 Conclusions -- References -- About the Authors -- Index.